Why a Dyre infection leads to more than just stolen banking credentials

“The Dyre/Dyreza information-stealer has without a doubt filled the vacuum generated by the 2014 and 2015 law enforcement takedowns of botnet infrastructure of several prominent financial Trojan groups: Gameover Zeus, Shylock, and Ramnit.

Dyre is often delivered via the Upatre downloader Trojan, which usually gets installed on the victims’ computer after they have downloaded and run an email attachment containing the malware.

Dyre’s primary goal is to harvest victims’ online credentials, and it’s capable of doing this by mounting Man-in-the-Browser attacks against the three most commonly used Windows browsers: Internet Explorer, Firefox, and Chrome. This capability allows it to either redirect the victim to a fake website designed to imitate their banks site, or to inject additional code into authentic web pages in order to harvest the credentials that the user inputs.

Its list of targets mostly includes banks and financial institutions in the US, UK and other English-speaking countries, but it will also attack customers of electronic payments services and users of digital currencies.

Curiously enough, it is also after credentials for several careers- and HR-related websites – Symantec researchers posit that this is either because the criminals want to access valuable personal information in order to sell it, or to use the information to recruit money mules – and credentials for web hosting companies (likely to make it easier for the criminals to develop the C&C infrastructure).

All in all, the group wielding Dyre has targeted customers of over 1,000 organizations around the world, but it’s interesting to see that there are no Russian or Eastern European institutions on that list.

“One possibility is that the attackers may be reluctant to draw attention to themselves by attacking those close to home,” the researchers noted.

This theory is further substantiated by the pattern of Dyre activity registered by Symantec – a pattern that points to the criminals observing a five-day working week as it would look like in the UTC +2 or UTC +3 time zones, which encompass Eastern European countries and the Russian Federation.

“Finally, while a large amount of Dyres C&C infrastructure is located in those regions, a relatively low amount of infections is seen,” they added.

Dyre can also be equipped with additional modules that would allow the criminals behind it to operate the compromised system remotely and to collect other information such as browsing histories, certificates, and cookies.

Finally, it can also download additional malware, and has been spotted downloading an assortment of spamming Trojans, info-stealers that collect user credentials for popular FTP software and wallet.dat files, and bots that enslave the computer into a botnet used for mounting DDoS attacks or brute-force attacks against FTP hosts.”